Lecture
The domain restriction rule (Same Origin Policy, translated from English - “Principle of the same source”) is an important security concept for some client-side programming languages, such as JavaScript. The policy allows scripts on the pages of one site to access methods and properties of each other without restrictions, but prevents access to most methods and properties for pages on different sites. Identical sources are those that coincide with three signs:
The same-origin policy defines how a document or script loaded from one source (origin) can interact with a resource from another source (origin). This is a critical security mechanism for isolating potentially dangerous documents.
Two pages have the same origin (source) if the protocol, port (if specified), and host are the same for both pages. From time to time, you can see this as the "scheme / host / port tuple" (where "tuple" translates as a tuple or record is a set of three components that together form a single entity).
The following table gives examples of origin comparisons with the URL http://store.company.com/dir/page.html:
URL | result | cause |
---|---|---|
http://store.company.com/dir2/other.html | success | |
http://store.company.com/dir/inner/another.html | success | |
https://store.company.com/secure.html | failure | Different protocols |
http://store.company.com:81/dir/etc.html | failure | Different port |
http://news.company.com/dir/other.html | failure | Different host |
See also origin definition for file: URLs.
For illustration, the following table gives an overview of typical checks for comparison with the example URL "http://www.example.com/dir/page.html".
Compare URL | Check | Cause |
---|---|---|
http://www.example.com /dir/page.html | Complies | The same protocol and domain |
http://www.example.com/dir2/other.html | Complies | The same protocol and domain |
http: // username: password @ www.example.com /dir2/other.html | Complies | The same protocol and domain |
http://www.example.com: 81 /dir/other.html | Does not match | Same protocol and domain, but different port |
https : //www.example.com/dir/other.html | Does not match | The protocol is different |
http: // en.example.com /dir/other.html | Does not match | Domain is different |
http: // example.com /dir/other.html | Does not match | Domain is different (full compliance required) |
http: // v2.www.example.com /dir/other.html | Does not match | Domain is different (full compliance required) |
http://www.example.com: 80 /dir/other.html | Undefined | Explicit indication of the port. Depends on the implementation in the browser. |
The contents of the about: blank and javascript: URLs inherit the source from the document that loads the URL, since the URL itself does not provide any information about the origin. data: URLs get a new, empty, security context.
Note: Before Gecko 6.0, dataURL, the inherited security context of the current page in the browser window, if the user enters dataURL into the address bar.
Internet Explorer has two major exceptions when it comes to the same origin policy.
These exceptions are non-standard and not supported in any other browser, but would be useful when developing an application for a Windows RT-based web application (or) based on IE.
The page may change its origin with some restrictions. The script can set the value of document.domain for the current domain or super domain of the current domain. If it sets it to the superdomain of the current domain, the shorter domain is used for subsequent origin checks. For example, suppose the script in document http://store.company.com/dir/other.html executes the following statement:
document.domain = "company.com";
After completing this statement, the page can pass the verification of origin http://company.com/dir/page.html (provided that it http://company.com/dir/page.html sets the document.domain value to "company.com" to indicate that she wants to allow this - see document.domain (for more). However, company.com may not install, document.domain to othercompany.com, which is not a company.com superdomain.
The port number is stored separately by the browser. Any call to the setter, including document.domain = document.domain, causes the port number to be overwritten null. Therefore, one cannot do company.com:8080 a conversation with company.com using only setting document.domain = "company.com" in the first one. It should be set as for both port numbers null.
Note. When using document.domain to allow a subdomain to contact its parent safely, you need to set document.domain to have the same value in both the parent domain and the subdomain. This is necessary, even if it simply returns the parent domain to its original value. Failure to do so may result in permission errors.
Policies of the same origin control interactions between two different sources, for example, when you use the XMLHttpRequest or <img> element. These interactions are usually divided into three categories:
Here are some examples of resources that can be embedded in cross-origin:
Use CORS to allow cross-start access.
JavaScript APIs such as iframe.contentWindow, window.parent, window.open, and window.opener allow documents to directly link to each other. If the two documents do not have the same origin, these links provide very limited access to Window and Location objects, as described in the next two sections.
To communicate between documents from different sources, use window.postMessage.
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-window.
Window Access to properties is available for several reasons:
methods |
---|
window.blur |
window.close |
window.focus |
window.postMessage |
Attributes | |
---|---|
window.closed | Only reading. |
window.frames | Only reading. |
window.length | Only reading. |
window.location | Read write. |
window.opener | Only reading. |
window.parent | Only reading. |
window.self | Only reading. |
window.top | Only reading. |
window.window | Only reading. |
Some browsers allow access to more properties than the specification allows.
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#security-location.
Location Access to properties is available for several reasons:
methods |
---|
location.replace |
Attributes | |
---|---|
URLUtils.href | Write only. |
Some browsers allow access to more properties than the specification allows.
Access to data stored in the browser, such as localStorage and IndexedDB, is divided by origin. Each lineage gets its own separate repository, and JavaScript in one source cannot read or write to storage belonging to another source.
Cookies use a separate definition of origin. A page can set cookies for its domain or any parent domain if the parent domain is not a public suffix. Firefox and Chrome use a public suffix list to determine if a domain is a public suffix. Internet Explorer uses its own internal method to determine if a domain is a public suffix. The browser will make a cookie available for this domain, including any subdomains, regardless of which protocol (HTTP / HTTPS) or port is used. When you set a cookie, you can limit its accessibility using the Domain, Path, Secure and Http-Only flags. When you read a cookie, you cannot see where it was installed from. Even if you only use secure https connections, any cookie you see can be set up using an insecure connection.
Comments
To leave a comment
Malicious, and information security
Terms: Malicious, and information security